Mobile User Slow Login Off Network

Our OD is a dot com domain and not a dot local. We were experiencing the slow login while on an "outside" network as well but this Apple post fixed it nicely. http://support.apple.com/kb/TS3560

The big thing that's changed is that the file: /Library/Preferences/edu.mit.Kerberos contained IP addresses of our OD server as well as the domain names. Those IPs were 10.x.x.x IPs (which are correct when on our network) and once I erased those lines and rebooted (the reboot is important), the problem went away - fast logins now, everytime.

The Apple support link above gives you a method of changing it on your OD server so that everyone else's edu.mit.Kerberos file will be updated automatically the next time the log in on the network.

I can't comment on whether is has anything to do with a .com or .local domain but ours is .com and the fix worked.

It gives me great pleasure to announce that I no longer have this issue. It has been the bane of my mac admin existence for well over a year now. For those of you who have followed this forum thread you may remember some of my posts. Here is an update on my situation and how I fixed the slow login issue while off network for mobile clients. Before I stated in my posts that my environment was comprised of an AD domain with schema modifications and and OD Xserve in the “golden triangle” config or kind of hybrid configuration. While this works fine it is not in best practice and you have to keep 2 separate directories services healthy. I decided to remove the OD component and move over to using just the AD. I was bitten by the bug described in this blog http://blog.michael.kuron-germany.de/2011/02/active-directory-mac-os-x-mcx/ so I wasn’t able to remove the OD until I fixed the apple computer group creation problem in AD. Once that was fixed I moved all MCX settings over to AD for computer groups and removed the OD service from my Xserve. While the details of that are for another forum post I mention it here so you will be aware of the details of the environment I am working with. Also I should mention that I am only working with a single AD forest and domain in the form of subdomain.domain.org and there is none of apples .local crap anywhere on my network. Below are the things I changed in order to resolve the issue. All of my macs (clients and servers) are running 10.6.8. This is where I found the solution, http://www.techsmog.com/index.php/2011/02/23/fixing-the-slow-loginlogoutauthenti cation-issue-in-osx-snow-leopard/ this link was taken from posts in this thread. After doing this the login times off network of my mobile macs went from ~12 minutes to ~5 sec. I hope this helps anyone who is still having this issue.

1. Unbind the Mac from AD
2. Directory Utility>Services>Active Directory>Advanced Options--- Uncheck Allow Authentication from any forest in the domain
3. Directory Utility>Services>Active Directory>Advanced Options--- Check Prefer this domain controller and enter the IP, NOT the DNS name, of one of your Domain Controllers
4. Bind the Mac back to AD
5. Directory Utility>Search Policy>Contacts--- Remove /Active Directory/All Domains and add /Active Directory/yourdomain.xxx
6. Directory Utility>Search Policy>Authentication--- Remove /Active Directory/All Domains and add /Active Directory/yourdomain.xxx

As an edit to my above post. I tried this with another laptop and it did not seem to work. I will investigate further and post what I find.

I too am having these same issues. The only thing that I have not tried that has been suggested is modifing my mDNSresponder because I don't feel that is a fix for this issue. I do know of another school district with a .local domain having issues, but we're a .org.

We have about 2400 macs running OSX 10.4-10.7, all bound to AD. About 400 users login using domain accounts from home and are all experiencing these issues. They are all 10.6.8 machines.

I'm part of the MLTI project in Maine. I have some people that work for Apple to get in touch with. I will try to contact them tomorrow and hopefully they will be able to escalate this issue.

I'm also having this issues with our mobile accounts.

a bit OT

Apart from this, has some of users report that they were asked to reset their password after logging in while outside the office network?

and after keying in a new password, it is not accepted. it only works when they are back in the office, after logging in, they are not asked to reset their password.

one weird thing that happened once, the user tried to reset his password a lot of time and when he came back in the office, he still can't login. checked the account pref, and his account is gone but the home folder is still intact.

Just checking back on this thread...are people still having this issue or has Apple provided more solutions?

Have Lion upgrades helped at all?

The company I'm presently at was asking me about possibly bringing a mac ldap server into the picture (golden triangle) but now weary after seeing so many people with this issue.

I havnt updated my thoughts in this thread for a while so i figured i would let you all know what i have found out regarding it. i had to open one of those 700$ ticket with apple enterprise support to find all this info out. over 2 weeks of working with apple to solve this issue i learned many things. apple knows about the issue and is with DNS. there will be no more updates for snow leopard for example no 10.6.9 to fix the issue. apple was never able to fix it on my macs even though they said it could be fixed. I gave up and moved to lion. I was told by the apple engineer that his issue does not exist in lion. i have not had this issue with lion. there are other issues with lion that happened however i have worked through all of them with a few calls to apple support. so i will state that in my enviroment lion has been much better than snow leopard overall and does not have any login delay infact login off network is now faster than on network, it takes about 2 seconds on my mac laptops. i hope this helps

Thanks for the update LIBRJay it's good to know that Lion clients don't have the issue anymore. Is your OD server also Lion version?

We are actually no longer using OD in our environment but yes we do use lion 10.7.4 server for our 2 mac servers. The only services we use are software update and net boot for image deployment. I have not actually implemented profile manager yet but it looks more and more like I will have to at some point. We are 100% AD with apple schema modifications. it works very well to deploy mcx that way at least for us. we are small and only have 30 or so macs. There are however caveats to doing it this way. I ran into one of them and fortunately it turned out to be a lot less of an issue that I thought. this article was a lifesaver for me as well as being able to confirm with apple engineers that even though my initial schema modifications were bugged it has no ill effects on usage because most of the bugged schema stuff is no longer used even by apple and the rest can properly be added and modified in AD with adsedit very easily http://blog.michael.kuron-germany.de/2011/02/active-directory-mac-os-x-mcx/ from what I have read on the web recently apple looks like they are phasing out mcx for the new profile manager method of pushing setting to clients. This is annoying for me because it only works with OD so anyone implementing it would have to add a mac OD server into their environment. Fortunately the profile manager method seems to coexist just fine with the schema modification method of controlling clients.

Thank's

You save me a lot of time, your solution works for me !🙂

Hi,

i know that this thread is a little bit old, but ist there any solution?

I have the problem with a OS X 10.11.4 El Capitan and the server version 5.1

All my clients are also actual with OS X El Capitan

Agreed, I am having this issue as well with 10.11.5

All AD and it's both internally and externally, people experience log in times of upwards of 3 to 5 minutes...